feat: automatically generate allowedTCPPorts for mdns enabled

interfaces; simplify nftables rules by adding a general untrusted zone
2025-10-11 07:10:39 +02:00 · 2023-05-27 01:59:28 +02:00 · 2023-05-27 01:59:28 +02:00 · 41df399bb6
commit 41df399bb6
parent e37601b486
14 changed files with 231 additions and 168 deletions
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -89,9 +89,8 @@ in {
  # TODO mkForce nftables
  networking.nftables.firewall = {
    zones = lib.mkForce {
+      untrusted.interfaces = ["wan"];
      lan.interfaces = ["lan-self"];
-      wan.interfaces = ["wan"];
-      local-vms.interfaces = ["local-vms"];
    };

    rules = lib.mkForce {
@ -100,34 +99,24 @@ in {
        extraLines = ["ip6 nexthdr icmpv6 icmpv6 type { mld-listener-query, nd-router-solicit } accept"];
      };

-      masquerade-wan = {
+      masquerade = {
        from = ["lan"];
-        to = ["wan"];
+        to = ["untrusted"];
        masquerade = true;
      };

+      # Rule needed to allow local-vms wireguard traffic
+      lan-to-local = {
+        from = ["lan"];
+        to = ["local"];
+      };
+
      outbound = {
        from = ["lan"];
-        to = ["lan" "wan"];
+        to = ["lan" "untrusted"];
        late = true; # Only accept after any rejects have been processed
        verdict = "accept";
      };
-
-      wan-to-local = {
-        from = ["wan"];
-        to = ["local"];
-      };
-
-      lan-to-local = {
-        from = ["lan"];
-        to = ["local"];
-
-        inherit
-          (config.networking.firewall)
-          allowedTCPPorts
-          allowedUDPPorts
-          ;
-      };
    };
  };